If you are running your services through a web proxy or load balancer, additional configuration will be required on them.

You want a strong and future-proof SSL configuration that is not vulnerable to any SSL protocol or encryption hacks. It must also maintain some level of backwards compatibility with older host software, but you must continually keep your software updated and configuration current as not to give the end-user a false sense of security.

Test your SSL connection

Using a tool called nmap you can scan for security holes and limits in software. You can use this tool to display a list of supported cipher suites with SSL connections. This gives you a very simple understanding of the type of encryption your server provides. First, install nmap to a Linux box if you do not already.

The next step is to run the the nmap command and specify that you want a list of the cipher suites from the command. You must specify the server you want to initiate an SSL connection to. For this exercise we are using localhost, but any domain name or IP address can be used with an open 443 port.

Notes regarding the example scan

Support for the SSLv3 protocol should be removed completely. Recent security risks such as the POODLE and FREAK attacks take advantage of weaknesses in the protocol, and all relevant browser clients support TLS as a replacement.

In the example above several weak or broken TLS ciphers are enabled and should be removed. These encryptions will give the end user a false sense of security, as the encryption themselves are breakable.

Because ECDHE ciphers are enabled, we can remove the slower DHE ciphers. Like DHE, ECDHE suites support Forward Secrecy, so we will not lose this enhanced security feature.

Only TLS version 1.0 was enabled. To get the best support and performance we should also enable the most recent versions.

OpenSSL cipher support

Your web server can't use the most secure ciphers if you don't have an up-to-date version of OpenSSL.

To view the complete list of ciphers available on your server run:

openssl ciphers

To upgrade your OpenSSL package on RHEL variants run:

sudo yum update openssl

Generate a new Diffie-Hellman group

Modern browsers have increased the minimum size to 1024-bit ciphers. You should generate a 2048-bit or 4096-bit group.

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 2048

Make changes to your web server configuration

The examples here will be shown for the Nginx web server on RHEL variant machines.

The default configuration for Nginx is /etc/nginx/nginx.conf, but your site may be defined within /etc/nginx/conf.d/

ssl_ciphers line activates or inactivates specific encryption cipher suites Nginx will use to negatiate an encrypted channel between client and server.

ssl_protocols line defines which of the SSL protocols Nginx should have available for use.

ssl_prefer_server_ciphers is given a boolean value. A value of 'on' will help protect from BEAST attacks.

vim /etc/nginx/nginx.conf
# specify the order of the ciphers that we want, and those we don't want
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# enable only TLS protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# help ensure that the browser uses the ciphers that we want
ssl_prefer_server_ciphers on;
# help ensure that the browser uses the ciphers that we want
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# optimal session variables
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

Reload Nginx configuration:

systemctl reload nginx

Re-check your HTTPS connection cipher list:

nmap --script ssl-enum-ciphers -p 443 localhost

Backwards-compatibility

The Mozilla group has provided a cipher list which intends to maintain a balance between security, performance, and backwards-compatibility. Use the following if you are hosting a public service/website: